From: Patrick Donnelly <pdonnell@redhat.com>
Date: Wed, 1 May 2024 01:41:14 +0000 (-0400)
Subject: mds: check relevant caps for fs include root_squash
X-Git-Tag: v18.2.4~44
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=042488bed3e80a81b662ed770b42790348c1bed4;p=ceph.git

mds: check relevant caps for fs include root_squash

When denying client reconnects because the MDS caps include root_squash and the
client features do not include CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK, ensure those
caps are only for the file system the MDS is joined to.

Fixes: https://tracker.ceph.com/issues/65733
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
(cherry picked from commit f79ae86f2c23388f6ecc3177764735e071998e09)
(cherry picked from commit 9b0f49212b11520961e0663fa0f0fa3452133ee7)
---

diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index 2556127dc22ec..f77fd965a2fc5 100644
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -288,10 +288,12 @@ public:
     }
   }
 
-  bool root_squash_in_caps() const {
-    for (const MDSCapGrant &g : grants) {
-      if (g.match.root_squash) {
-        return true;
+  bool root_squash_in_caps(std::string_view fs_name) const {
+    for (const MDSCapGrant& g : grants) {
+      if (g.match.match_fs(fs_name)) {
+        if (g.match.root_squash) {
+          return true;
+        }
       }
     }
     return false;
diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index 48e7b03ae2146..23a3a82d4708a 100644
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -717,7 +717,9 @@ void Server::handle_client_session(const cref_t<MClientSession> &m)
 	break;
       }
 
-      if (session->auth_caps.root_squash_in_caps() && !client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK)) {
+      std::string_view fs_name = mds->mdsmap->get_fs_name();
+      bool client_caps_check = client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK);
+      if (session->auth_caps.root_squash_in_caps(fs_name) && !client_caps_check) {
 	CachedStackStringStream css;
 	*css << "client lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK needed to enforce 'root_squash' MDS auth caps";
 	send_reject_message(css->strv());
@@ -1573,8 +1575,9 @@ void Server::handle_client_reconnect(const cref_t<MClientReconnect> &m)
 	*css << "missing required features '" << missing_features << "'";
 	error_str = css->strv();
       }
-      if (session->auth_caps.root_squash_in_caps() &&
-          !session->info.client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK)) {
+      std::string_view fs_name = mds->mdsmap->get_fs_name();
+      bool client_caps_check = session->info.client_metadata.features.test(CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK);
+      if (session->auth_caps.root_squash_in_caps(fs_name) && !client_caps_check) {
 	CachedStackStringStream css;
 	*css << "client lacks CEPHFS_FEATURE_MDS_AUTH_CAPS_CHECK needed to enforce 'root_squash' MDS auth caps";
 	error_str = css->strv();